Configuring Workspace Personal and Workspaces Pools SAML Authentication with Auth0

1. Create an App in Auth0 to generate the Metadata manifest file.
2. Create a SAML Identity Provider in AWS Identity and Access Management (IAM).
3. Create a SAML 2.0 Federation IAM Role and IAM Policy.
4. Configuring Auth0 and SAML assertions.
5. Enabling SAML 2.0 Integration in your workspaces directory.
6. Test your configuration.

NOTE : Please make to go over the appropriate requirements and pre-requisites outlined here. For lab purposes I have created a Auth0 lab account using the following link.

• Auth0 Account with Active directory connector configured.
• AWS Managed Active Directory configured for AWS Workspaces
• A provisioned Amazon Workspace within the same directory.

• Login to Auth0 console and navigate to Authentication -> Enterprise and then select Active Directory/LDAP.

• Select Create Connection name and then provide the name to your AD Connection. I have named my connection as below.

• On the Setup Tab download the required Installed as per the operation system. Once the installation is complete you should see the below tab populating with your default browser.

• Enter the provisioning ticket Url which should be unique for your connection string and then click Continue.
• Next Enter the Administrator Username as Domain\Username and password , click save.
• Once the connection is established to Auth0 you should see the following log details if all the checks are successful.

• After successful verification the respective AD\LDAP Connection should be back to online status.

• Log back into the Auth0 management console and create a New Application. Once the application is created navigate to AddOns tab and enable SAML2 WEB APP.

• Click on the SAML2 WEB APP to configure the Addon which will be used to provide the AWS SAML call back url along with the SAML configuration setting that would be required to identify NameIdFormat.
• On the settings tab within the Application Callback Url add "https://signin.aws.amazon.com/saml" this is where the SAML token will send the POST request. Next update the settings section paste the following SAML configuration code in json format.

• Scroll down at the bottom save and click enable.
• Next navigate to the Usage tab and then download the metadata manifest file. This file would be required in the next steps.

• Close the SAML2 Web App window, then click over Connections. Under Enterprise, select the correct Active Directory/LDAP Connector and enable.

• For this step we will follow the steps as outlined in our AWS Public Documentation.

• Sign in to Auth0 Management Dashboard, go to Actions->Library-> Create Action -> Build from Scratch.
• Provide a Name , keep the trigger as Login/Post Login and runtime as Node 18 then click Create.

• On the Next Screen Copy Paste below Code an Click Deploy.

• Replace the appropriate application name in the event.cllient.name section which was created in Step.1 . Followed by updating the awsRole section with the respective IAMRole arn and Idp_arn which was created in Step 3.
• Once the step is done please navigate to Actions --> Flows -> Click Login.
• On the right hand side under Add Action -> click Custom and move the action which was created in previous step between Start and Complete as per the below screenshot. This will allow the end users to assume the respective IAM role and IDP defined in the logon flows.
• Once done Click Apply.

• For this step please follow the steps outlined in the following AWS Public Documentation. You can keep the IdP deep link parameter name as “RelayState”.
• User Access url : This can be achieved from Usage Tab from the SAML Web App Addon Section.

• Open your Amazon Workspaces Client to test this configuration and provide your registration code. You should see something similar to below.

• 

• Click continue to proceed ahead with the saml authentication where you will be redirected to the IDP logon page in this case Auth0 that will look something as seen below.

• Sign in with your AD username and password once successful you should be redirected to specific region end point url and then redirected to the Workspace Client with pre-populated workspace username.

• Enter your username password and you should be logged into the Workspace.

PART-II : In this section I have added the additional steps that would be required to Setup SAML authentication for Workspaces Pools using Auth0.

NOTE : My Workspaces Pool Lab is domain Joined using AWS Managed AD but this can be implemented using self managed ad or without any Active Directory Integration as well

Things to keep in mind while setting up AWS Workspaces Pools with directory domain join make sure to have the DHCP option scope updated with appropriate Domain DNS Ip address or if you are using default dhcp option scope you can use Route53 outbound resolver to forward the requests to the respective Domain DNS. Modifying or updating DHCP option scope is not a requirement if you want to have non domain Workspaces Pools.

• https://docs.aws.amazon.com/whitepapers/latest/best-practices-for-deploying-amazon-appstream-2/vpc-design.html
• https://guide.aws.dev/articles/ARNAUCSX2UT22h2rouPsxGNQ/how-to-deploy-appstream-domain-join-environment-without-using-custom-dhcp-option-set

• This step will be same as we did for Workspaces Personal Setup.

• Same steps would be required to create appropriate SAML assertions for Workspaces Pool setup.

Testing Workspaces Pool SAML authentication.

• Open the Workspace Client and enter the respective registration code provided by your admin.

• After Entering the Workspace Pool registration code you will be asked to continue with authentication to the IDP portal where the corresponding Workspaces_pool application has been configured.

• Once the end user is authenticated at the Identity provider url , the session provisioning request will be redirected to the Workspace.

• After successful authentication you should be able to confirm the Workspaces pooled desktop is a part of Pool Directory.

Conclusion